{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27708", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.203Z", "datePublished": "2026-06-24T19:24:50.417Z", "dateUpdated": "2026-06-25T20:01:04.812Z"}, "containers": {"cna": {"title": "FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j"}, {"name": "https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0"}], "affected": [{"vendor": "FOSSBilling", "product": "FOSSBilling", "versions": [{"version": "< 0.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-24T19:24:50.417Z"}, "descriptions": [{"lang": "en", "value": "FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach \u2014 attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0."}], "source": {"advisory": "GHSA-p36w-9x66-488j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T20:00:55.598830Z", "id": "CVE-2026-27708", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T20:01:04.812Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access", "source": {"advisory": "GHSA-p36w-9x66-488j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FOSSBilling", "product": "FOSSBilling", "versions": [{"status": "affected", "version": "< 0.8.0"}]}], "references": [{"url": "https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j", "name": "https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0", "name": "https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach \u2014 attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-24T19:24:50.417Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T20:00:55.598830Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-25T20:01:00.519Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27708", "state": "PUBLISHED", "dateUpdated": "2026-06-24T19:24:50.417Z", "dateReserved": "2026-02-23T17:56:51.203Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-24T19:24:50.417Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FOSSBilling", "source": "cna", "vendor": "FOSSBilling"}, "product": "fossbilling", "vendor": "fossbilling"}], "created": "2026-06-24T21:45:15.820379+00:00", "updated": "2026-06-25T06:00:05.304234+00:00", "vendors": ["fossbilling", "fossbilling$PRODUCT$fossbilling"]}